Zero Trust and Third-Party Risk
Reduce the Blast Radius
1. Edition October 2023
240 Pages, Hardcover
Wiley & Sons Ltd
ISBN:
978-1-394-20314-7
John Wiley & Sons
Dramatically lower the cyber risk posed by third-party software and vendors in your organization
In Zero Trust and Third-Party Risk, veteran cybersecurity leader Gregory Rasner delivers an accessible and authoritative walkthrough of the fundamentals and finer points of the zero trust philosophy and its application to the mitigation of third-party cyber risk. In this book, you'll explore how to build a zero trust program and nurture it to maturity. You will also learn how and why zero trust is so effective in reducing third-party cybersecurity risk.
The author uses the story of a fictional organization--KC Enterprises--to illustrate the real-world application of zero trust principles. He takes you through a full zero trust implementation cycle, from initial breach to cybersecurity program maintenance and upkeep. You'll also find:
* Explanations of the processes, controls, and programs that make up the zero trust doctrine
* Descriptions of the five pillars of implementing zero trust with third-party vendors
* Numerous examples, use-cases, and stories that highlight the real-world utility of zero trust
An essential resource for board members, executives, managers, and other business leaders, Zero Trust and Third-Party Risk will also earn a place on the bookshelves of technical and cybersecurity practitioners, as well as compliance professionals seeking effective strategies to dramatically lower cyber risk.
Foreword xiii
INTRODUCTION: Reduce the Blast Radius xvii
Part I Zero Trust and Third-Party Risk Explained 1
Chapter 1 Overview of Zero Trust and Third-Party Risk 3
Zero Trust 3
What Is Zero Trust? 4
The Importance of Strategy 5
Concepts of Zero Trust 6
1. Secure Resources 7
2. Least Privilege and Access Control 8
3. Ongoing Monitoring and Validation 11
Zero Trust Concepts and Definitions 13
Multifactor Authentication 13
Microsegmentation 14
Protect Surface 15
Data, Applications, Assets, Services (DAAS) 15
The Five Steps to Deploying Zero Trust 16
Step 1: Define the Protect Surface 16
Step 2: Map the Transaction Flows 17
Step 3: Build the Zero Trust Architecture 17
Step 4: Create the Zero Trust Policy 17
Step 5: Monitor and Maintain the Network 19
Zero Trust Frameworks and Guidance 20
Zero Trust Enables Business 22
Cybersecurity and Third-Party Risk 22
What Is Cybersecurity and Third-Party Risk? 23
Overview of How to Start or Mature a Program 25
Start Here 25
Intake, Questions, and Risk-Based Approach 27
Remote Questionnaires 28
Contract Controls 29
Physical Validation 30
Continuous Monitoring 31
Disengagement and Cybersecurity 33
Reporting and Analytics 34
ZT with CTPR 35
Why Zero Trust and Third-Party Risk? 35
How to Approach Zero Trust and Third-Party Risk 37
ZT/CTPR OSI Model 38
Chapter 2 Zero Trust and Third-Party Risk Model 43
Zero Trust and Third-Party Users 43
Access Control Process 44
Identity: Validate Third-Party Users with Strong Authentication 45
Five Types of Strong Authentication 47
Identity and Access Management 50
Privileged Access Management 52
Device/Workload: Verify Third-Party User Device Integrity 54
Access: Enforce Least-Privilege Access for Third-Party Users to Data and Apps 57
Groups 57
Work Hours 58
Geo-Location 58
Device-Based Restrictions 58
Auditing 59
Transaction: Scan All Content for Third-Party
Malicious Activity 59
IDS/IPS 60
DLP 60
SIEM 61
UBAD 61
Governance 62
Zero Trust and Third-Party Users Summary 62
Zero Trust and Third-Party Applications 63
Identity: Validate Third-Party Developers, DevOps, and Admins with Strong Auth 64
Privileged User Groups 64
Multifactor Authentication 64
Just-in-Time Access 65
Privileged Access Management 65
Audit and Logging 66
Device/Workload: Verify Third-Party Workload Integrity 66
Access: Enforce Least-Privilege Access for Third-Party Workloads
Accessing Other Workloads 67
Transaction: Scan All Content for Third-Party Malicious Activity and Data Theft 68
Zero Trust and Third-Party Applications Summary 70
Zero Trust and Third-Party Infrastructure 70
Identity: Validate Third-Party Users with Access to Infrastructure 71
Device/Workload: Identify All Third-Party Devices (Including IoT) 72
Software-Defined Perimeter 74
Encryption 74
Updates 75
Enforce Strong Passwords 75
Vulnerability and Secure Development Management 75
Logging and Monitoring 76
Access: Enforce Least-Privilege Access Segmentation for Third-Party Infrastructure 76
Transaction: Scan All Content Within the Infra for Third-Party Malicious Activity and Data Theft 77
Zero Trust and Third-Party Infrastructure Summary 78
Chapter 3 Zero Trust and Fourth-Party Cloud (SaaS) 79
Cloud Service Providers and Zero Trust 80
Zero Trust in Amazon Web Services 81
Zero Trust in Azure 83
Zero Trust in Azure Storage 85
Zero Trust on Azure Virtual Machines 87
Zero Trust on an Azure Spoke VNet 87
Zero Trust on an Azure Hub VNet 88
Zero Trust in Azure Summary 88
Zero Trust in Google Cloud 88
Identity-Aware Proxy 89
Access Context Manager 90
Zero Trust in Google Cloud Summary 91
Vendors and Zero Trust Strategy 91
Zero Trust at Third Parties as a Requirement 91
A Starter Zero Trust Security Assessment 92
A Zero Trust Maturity Assessment 95
Pillar 1: Identity 98
Pillar 2: Device 101
Pillar 3: Network/Environment 104
Pillar 4: Application/Workload 107
Pillar 5: Data 110
Cross-cutting Capabilities 113
Zero Trust Maturity Assessment for Critical Vendors 115
Part I: Zero Trust and Third-Party Risk
Explained Summary 119
Part II Apply the Lessons from Part I 121
Chapter 4 KC Enterprises: Lessons Learned in ZT and CTPR 123
Kristina Conglomerate Enterprises 124
KC Enterprises' Cyber Third-Party Risk Program 127
KC Enterprises' Cybersecurity Policy 127
Scope 127
Policy Statement and Objectives 128
Cybersecurity Program 128
Classification of Information Assets 129
A Really Bad Day 130
Then the Other Shoe Dropped 133
Chapter 5 Plan for a Plan 139
KC's ZT and CTPR Journey 139
Define the Protect Surface 143
Map Transaction Flows 146
Architecture Environment 148
Deploy Zero Trust Policies 159
Logical Policies and Environmental Changes 159
Zero Trust for Third-Party Users at KC Enterprises 161
Third-Party User and Device Integrity 161
Third-Party Least-Privileged Access 163
Third-Party User and Device Scanning 165
Zero Trust for Third-Party Applications at KC Enterprises 166
Third-Party Application Development and Workload Integrity 166
Third-Party Application Least-Privileged Access Workload to Workload 168
Third-Party Application Scanning 168
Zero Trust for Third-Party Infrastructure at KC Enterprises 169
Third-Party User Access to Infrastructure 169
Third-Party Device Integrity 170
Third-Party Infrastructure Segmentation 170
Third-Party Infrastructure Scanning 171
Written Policy Changes 172
Identity and Access Management Program 172
Vulnerability Management Program 173
Cybersecurity Incident Management Program 174
Cybersecurity Program 175
Cybersecurity Third-Party Risk Program 175
Third-Party Security Standard 177
Information Security Addendum 181
Assessment Alignment and Due Diligence 198
Third-Party Risk Management Program 202
Legal Policies 203
Monitor and Maintain 205
Part II: Apply the Lessons from Summary 206
Acknowledgments 209
About the Author 211
About the Technical Editor 211
Index 213
INTRODUCTION: Reduce the Blast Radius xvii
Part I Zero Trust and Third-Party Risk Explained 1
Chapter 1 Overview of Zero Trust and Third-Party Risk 3
Zero Trust 3
What Is Zero Trust? 4
The Importance of Strategy 5
Concepts of Zero Trust 6
1. Secure Resources 7
2. Least Privilege and Access Control 8
3. Ongoing Monitoring and Validation 11
Zero Trust Concepts and Definitions 13
Multifactor Authentication 13
Microsegmentation 14
Protect Surface 15
Data, Applications, Assets, Services (DAAS) 15
The Five Steps to Deploying Zero Trust 16
Step 1: Define the Protect Surface 16
Step 2: Map the Transaction Flows 17
Step 3: Build the Zero Trust Architecture 17
Step 4: Create the Zero Trust Policy 17
Step 5: Monitor and Maintain the Network 19
Zero Trust Frameworks and Guidance 20
Zero Trust Enables Business 22
Cybersecurity and Third-Party Risk 22
What Is Cybersecurity and Third-Party Risk? 23
Overview of How to Start or Mature a Program 25
Start Here 25
Intake, Questions, and Risk-Based Approach 27
Remote Questionnaires 28
Contract Controls 29
Physical Validation 30
Continuous Monitoring 31
Disengagement and Cybersecurity 33
Reporting and Analytics 34
ZT with CTPR 35
Why Zero Trust and Third-Party Risk? 35
How to Approach Zero Trust and Third-Party Risk 37
ZT/CTPR OSI Model 38
Chapter 2 Zero Trust and Third-Party Risk Model 43
Zero Trust and Third-Party Users 43
Access Control Process 44
Identity: Validate Third-Party Users with Strong Authentication 45
Five Types of Strong Authentication 47
Identity and Access Management 50
Privileged Access Management 52
Device/Workload: Verify Third-Party User Device Integrity 54
Access: Enforce Least-Privilege Access for Third-Party Users to Data and Apps 57
Groups 57
Work Hours 58
Geo-Location 58
Device-Based Restrictions 58
Auditing 59
Transaction: Scan All Content for Third-Party
Malicious Activity 59
IDS/IPS 60
DLP 60
SIEM 61
UBAD 61
Governance 62
Zero Trust and Third-Party Users Summary 62
Zero Trust and Third-Party Applications 63
Identity: Validate Third-Party Developers, DevOps, and Admins with Strong Auth 64
Privileged User Groups 64
Multifactor Authentication 64
Just-in-Time Access 65
Privileged Access Management 65
Audit and Logging 66
Device/Workload: Verify Third-Party Workload Integrity 66
Access: Enforce Least-Privilege Access for Third-Party Workloads
Accessing Other Workloads 67
Transaction: Scan All Content for Third-Party Malicious Activity and Data Theft 68
Zero Trust and Third-Party Applications Summary 70
Zero Trust and Third-Party Infrastructure 70
Identity: Validate Third-Party Users with Access to Infrastructure 71
Device/Workload: Identify All Third-Party Devices (Including IoT) 72
Software-Defined Perimeter 74
Encryption 74
Updates 75
Enforce Strong Passwords 75
Vulnerability and Secure Development Management 75
Logging and Monitoring 76
Access: Enforce Least-Privilege Access Segmentation for Third-Party Infrastructure 76
Transaction: Scan All Content Within the Infra for Third-Party Malicious Activity and Data Theft 77
Zero Trust and Third-Party Infrastructure Summary 78
Chapter 3 Zero Trust and Fourth-Party Cloud (SaaS) 79
Cloud Service Providers and Zero Trust 80
Zero Trust in Amazon Web Services 81
Zero Trust in Azure 83
Zero Trust in Azure Storage 85
Zero Trust on Azure Virtual Machines 87
Zero Trust on an Azure Spoke VNet 87
Zero Trust on an Azure Hub VNet 88
Zero Trust in Azure Summary 88
Zero Trust in Google Cloud 88
Identity-Aware Proxy 89
Access Context Manager 90
Zero Trust in Google Cloud Summary 91
Vendors and Zero Trust Strategy 91
Zero Trust at Third Parties as a Requirement 91
A Starter Zero Trust Security Assessment 92
A Zero Trust Maturity Assessment 95
Pillar 1: Identity 98
Pillar 2: Device 101
Pillar 3: Network/Environment 104
Pillar 4: Application/Workload 107
Pillar 5: Data 110
Cross-cutting Capabilities 113
Zero Trust Maturity Assessment for Critical Vendors 115
Part I: Zero Trust and Third-Party Risk
Explained Summary 119
Part II Apply the Lessons from Part I 121
Chapter 4 KC Enterprises: Lessons Learned in ZT and CTPR 123
Kristina Conglomerate Enterprises 124
KC Enterprises' Cyber Third-Party Risk Program 127
KC Enterprises' Cybersecurity Policy 127
Scope 127
Policy Statement and Objectives 128
Cybersecurity Program 128
Classification of Information Assets 129
A Really Bad Day 130
Then the Other Shoe Dropped 133
Chapter 5 Plan for a Plan 139
KC's ZT and CTPR Journey 139
Define the Protect Surface 143
Map Transaction Flows 146
Architecture Environment 148
Deploy Zero Trust Policies 159
Logical Policies and Environmental Changes 159
Zero Trust for Third-Party Users at KC Enterprises 161
Third-Party User and Device Integrity 161
Third-Party Least-Privileged Access 163
Third-Party User and Device Scanning 165
Zero Trust for Third-Party Applications at KC Enterprises 166
Third-Party Application Development and Workload Integrity 166
Third-Party Application Least-Privileged Access Workload to Workload 168
Third-Party Application Scanning 168
Zero Trust for Third-Party Infrastructure at KC Enterprises 169
Third-Party User Access to Infrastructure 169
Third-Party Device Integrity 170
Third-Party Infrastructure Segmentation 170
Third-Party Infrastructure Scanning 171
Written Policy Changes 172
Identity and Access Management Program 172
Vulnerability Management Program 173
Cybersecurity Incident Management Program 174
Cybersecurity Program 175
Cybersecurity Third-Party Risk Program 175
Third-Party Security Standard 177
Information Security Addendum 181
Assessment Alignment and Due Diligence 198
Third-Party Risk Management Program 202
Legal Policies 203
Monitor and Maintain 205
Part II: Apply the Lessons from Summary 206
Acknowledgments 209
About the Author 211
About the Technical Editor 211
Index 213
GREGORY C. RASNER is the author of the previous book Cybersecurity & Third-Party Risk: Third-Party Threat Hunting and the content creator of training and certification program "Third-Party Cyber Risk Assessor" (Third Party Risk Association, 2023). Greg is the co-chair for ISC² Third-Party Risk Task Force and is an advisor to local colleges on technology and cybersecurity.
